When you configure your Netscaler to protect a back-end website or web service and configure your Netscaler as a SAML SP. You might hit this error once in a while :
The reason for that most likely is that your SAML token might not yet be valid. Most of the time if the user clicks refresh, it will continu, but we are trying to avoid of course these type of messages.
Why does this happen ?
If the time on your Netscaler falls behind a litte, which quite often is the case on virtualized environments, the user will get this error. It seems that time keeping on the millisecond, specially on virtual environments, is still to be considered as an issue or at least very tricky.
Can you solve this on the Netscaler ?
If your NTP server settings are all configured well already, the answer is NO.
Because Netscaler is following security standards of SAML perfectly, the Netscaler will deny a SAML Token that doesn’t fall within the valid time interval. And according to SAML standards a SAML SP is not allowed to build-in time validation relaxation options for SAML tokens, which from a security point of view perfectly makes sense. However these time relaxations can be incorporated in the SAML token by the Idp and validated by the Netscaler.
So what can you do ?
You can configure your SAML Idp to allow some sort of “relaxation” about time differences and define a so called “NotBeforeSkew” (in minutes).
If you would have a Microsoft ADFS server you could handle it using Powershell :
- Open a Powershell prompt
Adding the ADFS Snapin to your PowerShell session12Add-PSSnapin Microsoft.Adfs.PowerShellGet-ADFSRelyingPartyTrust -Identifier "<<your SAML SP identifier>>"
- Find this in the output :
- Change your “Not Before Skew” to 1 minute, the value can be 0 to 5minutes :
Changing Not Before Skew1Set-ADFSRelyingPartyTrust -TargetIdentifier "<<your SAML SP identifier>>" -NotBeforeSkew 1
- Check the ouput again :
Get ADFS RPT Identifier Properties1Get-ADFSRelyingPartyTrust -Identifier "<<your SAML SP identifier>>"
And look for “NotBeforeSkew” again :
The result will be that the time-interval of your SAML Token is relaxed a little bit(1minute in the past) on your ADFS server. The SAML token will be interpreted by the Netscaler and the user can get his/her needed secure access.
Thanks Tijl (Citrix) for your help to find the solution for this.